Cyber Incident Victim: Bellingcat
Date:
Sep 2016
Location:
Russia
Summary
Russian hackers targeted an investigative journalism group involved in the MH17 crash investigation through sophisticated cyberattacks, including spearphishing, credential harvesting, SMS spoofing, and website defacement. The group, identified by ThreatConnect as linked to Russian state-sponsored actors such as FANCY BEAR and CyberBerkut, faced sustained operations aimed at retaliation for negatively impacting Russia's image, including leaked personal details of a contributor and disruption of their online presence. These attacks align with broader patterns of state-sponsored cyber operations against entities perceived as damaging to Russian interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In 2016, cybersecurity firm ThreatConnect documented a series of cyberattacks targeting Bellingcat, an investigative journalism group that contributed to the Joint Investigation Team’s (JIT) inquiry into the downing of Malaysia Airlines Flight MH17 over eastern Ukraine in 2014. The JIT had concluded the aircraft was shot down by a missile transported from Russia, a finding supported by Bellingcat’s research. ThreatConnect’s analysis revealed that Russian threat actors, including the group known as FANCY BEAR, conducted sophisticated attacks against Bellingcat starting as early as 2015. These attacks employed spearphishing campaigns designed to harvest credentials, consistent with FANCY BEAR’s tactics, techniques, and procedures. In February 2016, a separate pro-Russian group calling itself CyberBerkut defaced Bellingcat’s website and leaked the personal details of Ruslan Leviev, a Russia-based contributor to the organization. CyberBerkut, while presenting itself as Ukrainian hacktivists, was suspected by ThreatConnect to be a front for Russian state interests. The attacks aimed to disrupt Bellingcat’s work and retaliate for its role in investigations that implicated Russia in the MH17 incident.
ThreatConnect characterized the targeting of Bellingcat as symptomatic of a broader pattern of Russian state-sponsored cyber operations against entities perceived to damage Russia’s international image. The firm noted similarities between the attack methods used against Bellingcat and those deployed against other organizations, including the World Anti-Doping Agency (WADA), which faced breaches following its investigations into Russian doping scandals. The incidents against Bellingcat resulted in operational disruptions, reputational risks from leaked contributor data, and the defacement of its digital assets. Prior research by Trend Micro had also identified Russian hackers as likely perpetrators of attempted data thefts targeting the MH17 investigation team itself, reinforcing the link between these cyber campaigns and Russian strategic interests. The sustained targeting underscored the growing threat of state-aligned cyber actors against private organizations engaged in sensitive geopolitical investigations.